DEBIAN-CVE-2019-5477

Advisory lineage Upstream: 1 Downstream: 3

Upstream

CVE-2019-5477

Downstream

DLA-1933-1 DLA-3149-1 DLA-3150-1

Published: 16 Aug 2019, 16:15

Last modified:28 Apr 2026, 20:20

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

16 Aug 2019, 16:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:20

Last Modified

Vulnerability information updated

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

debian•rexical
< 1.0.7-1 | < 1.0.7-1 | < 1.0.7-1 | < 1.0.7-1
debian•ruby-nokogiri
< 1.10.4+dfsg1-1 | < 1.10.4+dfsg1-1 | < 1.10.4+dfsg1-1 | < 1.10.4+dfsg1-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2019-5477